User Interface Tabs
EventLog Analyzer user interface provides tabs for accessing the various sections of the product. The tabs provided are:
The Home tab contains the centralized EventLog Analyzer dashboard, which is further divided into tabs.
The EventLog Analyzer dashboard consists of tabs and has a few of them prebuilt and ready for use. In addition to the default tabs, the dashboard offers customizability by allowing users to create and construct their own tabs. These tabs can be filled with graphical widgets which provide better visibility into network events from a single pane. Device group-specific dashboard profiles can be created so that the dashboards display information relevant only to those device groups assigned to that profile. From the dashboard, you can also look at the Log Sources based on which the dashboard and its widgets are built. The Log Sources section is split into three subdivisions, namely Devices, Applications, and File Monitoring.
The Devices section displays the entire list of systems (Windows, Linux, IBM AS/400, HP-UX, etc.) and devices (routers, switches, etc.), from which EventLog Analyzer is collecting logs. The device list displayed is categorized based on the Device group selected from the drop-down list (default: All Groups). You can add a new device (+Device), or add and schedule new reports (+Schedule) from this section. You can search for a particular Device based on its IP Address or Device Name, delete a device or set of devices, and disable/enable log collection from a particular device or set of devices. The device list table displays details like device type, event summary (error, warning, failure, others), connection status of the device, time when the last log message was fetched, and device group to which the device belongs. Moving the mouse over any device brings up some options:
- View the last 10 events collected from a particular device.
- Update the device details.
- Ping the device.
- Enable/disable log collection from the device.
You can even customize the columns you would like to display in the device table by clicking the column selector icon (), or increase the number of devices that are displayed per page (from a minimum of 5 devices per page to a maximum of 200 devices per page).
Using the drop down menu, you can list out only the Active devices or Enabled devices and have the option to exclude synced devices from Active Directory Audit Plus.
The Applications section provides an overview pie-chart (which can be drilled down to raw log information) and lists the devices from which application logs for IIS W3C Web Servers, IIS W3C FTP Servers, MS SQL Servers, Oracle Live Audit, DHCP Windows/Linux Servers, Apache Web Servers or Print Servers, have been received or imported into EventLog Analyzer. The device list displayed is categorized based on Application Type selected from the drop-down list (default: All Applications). Applications logs can be imported into EventLog Analyzer by selecting +Import from the Actions drop-down list. Individual add options are provided for Oracle, Print, MS SQL, and Terminal Server logs. Once you have added them as devices to EventLog Analyzer, simply select the respective add option from the Actions drop-down list and provide the name of the device where these applications are running.
The application device list displays details like device name, application type, total events, recent records, time imported, start time and end time. Click on the device name or the corresponding section in the pie chart to get the complete overview of the application event data, and generate corresponding reports. You can even customize the columns you would like to display in the application device table by clicking the column selector icon ().
The custom reports and canned (prebuilt) reports are displayed in the Reports tab. Custom reports can be created, modified, deleted, scheduled, and rescheduled; the report profiles can be imported, and exported in PDF, CSV, and XML formats.
The canned reports available are top N reports, user activity reports, trend reports, detailed application reports, and detailed device reports. The top N reports list in descending order, the devices with most number of user accessed, users with most number of logins, users with most number of interactive logins, devices based on event severity, and processes based on event severity.
The Compliance tab provides the set of canned reports as required by various compliance policies, namely, FISMA, PCI-DSS, SOX, HIPAA, GLBA, GPG, and ISO 27001:2013. The +Add option allows you to create and select the reports required for a new compliance policy of your choice. The Edit option allows you to customize the reports available under each compliance policy.
The Search tab provides two options to search the raw logs: Basic Search or Advanced Search. The search result is displayed in the lower half of the page and the final search result can be saved as a report (in PDF or CSV format) and can also be scheduled to be generated at predefined intervals and be automatically mailed to a set of configured users. Use ‘Basic’ search if you are interested in manually constructing the search query. Here you can use phrase search, Boolean search, grouped search, and wild-card search to build your search query. Use ‘Advanced’ search to interactively build complex search queries easily with field value pairs and relational operators. The fields can be grouped with boolean operators.
New fields can be extracted from the search result and regular expression (regex) patterns can be constructed to easily identify, parse and index these fields in new logs received by EventLog Analyzer.
This section allows users to create alert profiles to notify you or your team about threshold violations, network anomalies, user activities, or compliance violations. The Alerts tab displays all the alert profiles, alerts generated, and provides options to disable, modify or delete any existing alert profile. The alert profiles can also be exported or imported in XML format.
The Correlation tab presents the set of predefined rules across several categories, that generate alerts when certain events (or combinations of events) occur, a specified number of times within a specified time period. The Add Rule option displays the correlation rule builder, which is a drag-and-drop interface to build your own rules using the predefined events provided. Also provided are the options to view the Session Activity and the Last 10 Incidents.
This section allows you to configure EventLog Analyzer according to your IT infrastructure. It has three sub-sections, Configuration, Admin Settings, and System Settings.
The various configurations you can carry out are: Manage Devices, Manage Device Groups, Manage Applications, Import Logs, Archive, Report Profiles, File Integrity Monitoring and Custom Log Parser.
This section allows various administrative activities such as: Agent Administration, Technicians and Roles, DB Retention Settings, Log Collection Filter, Working Hour Settings, Product Settings and Log Collection Alerts.
This section consists of various system configuration settings like: Notification Settings, Server Diagnostics, Database Access, Re-branding, NT Service, Connection Settings.
From this tab, you can add a